Even better, the timeline:<p><pre><code> - February 11th: Vendor informed of the issue
- February 25th: 28 people die because of the issue
- February 26th: The vendor ships a fix
</code></pre>
I'd have loved to be a fly on the wall for that phonecall on the 25th (or early on the 26th).
This particular bug is often taught in university compsci classes as "bug that killed people" is a good attention grabber -- the CS/EE analysis is sound; its truthfulness is only suspect because of the DoD's claimed successes.<p>A more truthful "computer bugs that killed people" example would be the Therac-25 - a machine intended to treat cancer with tightly-focused radiation therapy. Six patients died as a result of massive overdoses of radiation, on the order of 20,000 rads. It was possible for the machine to end up in a state where it delivered full-power radiation without a hardware shield in place to protect the rest of the patient's body. No hardware interlocks were used to ensure that the full power mode was only usable with the shield in place - all safety features relied on software. In addition, the bug was only possible when an operator made a mistake in mode selection and then <i>rapidly</i> (proficiently) corrected it - the rapidity required prevented the bug from being discovered during slow, methodic, careful testing.<p>See Hackaday's article Killed by a Machine (and associated HN discussion) or for the especially curious, a 49-page post-mortem for more detail:<p><a href="https://hackaday.com/2015/10/26/killed-by-a-machine-the-therac-25/" rel="nofollow">https://hackaday.com/2015/10/26/killed-by-a-machine-the-ther...</a><p><a href="https://news.ycombinator.com/item?id=12201147" rel="nofollow">https://news.ycombinator.com/item?id=12201147</a><p><a href="http://sunnyday.mit.edu/papers/therac.pdf" rel="nofollow">http://sunnyday.mit.edu/papers/therac.pdf</a>
This was a tragic and preventable loss. It's incredible that a software bug might have been the root cause.<p>At the time, this incident really stuck out because it broke the illusion of our fabled Patriot missile shield protecting us. Civilian expats really <i>believed</i> the inflated Patriot interception rates parroted to us by mainstream media and our American military expat buddies.<p>A large number of remaining expats who had stuck out the Gulf War to that point decided to pack it in and leave when word got out that the Dhahran barracks were hit. Although history shows that Iraq surrendered days after this incident, at the time there was heightened fear and confusion amongst the remaining expats, especially the non-Americans.<p>We left on the last Lufthansa flight (crewed by military personnel) after hearing about this.<p>Nostalgic edit:<p>During the Gulf War embassies issued equipment and rations to expat citizens who chose to stay behind. Americans were issued full body suits (for adults and youths) due to the biological and chemical weapon payloads that Saddam boasted his SCUDs were carrying, along with MREs that tasted fabulous! In stark contrast, Commonwealth citizens were issued a bare gas mask (adult size only) and mono-flavour MREs that tasted like cardboard.<p>The British embassy sticks out in my mind: with stern stone-faced expressions they admonished us all for not evacuating and thus endangering children in a war zone. In addition to the terrible rations and gas masks, they wordlessly gave us a stack of translucent stickers. When asked what they were for, embassy staff explained that in the event of the air siren going off, we should get under our sturdiest tables and don our gas masks (standard procedure), and <i>then</i> slap the stickers on. If the stickers changed colour, it meant we were in the presence of a biochemical agent and would have approximately 10 seconds before we died a horrific death.<p>You kind of had to be there to appreciate the grim humour.
I remember hearing about this in my numerical analysis class.<p>1. I remember hearing the system was only designed for XX operational hours but was being run over the operational spec.<p>2. The time was stored in base 10 so the calculation errors added up over time or something like that so if they had used some base 2 timing scheme it would haven't have had issues with rounding errors.<p>My class was in the mid nineties so the details of my 25 year old memory is pretty hazy...at best.
The inimitable comp.risks discussed this in 1992:<p><a href="http://catless.ncl.ac.uk/Risks/13/35#subj1.1" rel="nofollow">http://catless.ncl.ac.uk/Risks/13/35#subj1.1</a><p><a href="http://catless.ncl.ac.uk/Risks/13/76#subj8.1" rel="nofollow">http://catless.ncl.ac.uk/Risks/13/76#subj8.1</a><p>And in 1997:<p><a href="http://catless.ncl.ac.uk/Risks/18/79#subj9.1" rel="nofollow">http://catless.ncl.ac.uk/Risks/18/79#subj9.1</a>
Despite other comments below, I think that the equivalence drawn between "failed to save" and "killed" reflects an interesting philosophical choice. I don't think that this equivalence is universally accepted, even by those who call thinking otherwise fallacious.<p>If an EMT fails to save a victim of a car crash, did he/she kill the victim? If the dispatcher misspoke and gave the wrong cross street, delaying aid, did the dispatcher kill them?
For doing a ballistic propagation, you apply a gravitational map in Earth-centered, Earth-fixed (ECEF) geodetic coordinates, then convert to Earth-centered rotating (ECR) geodetic coordinates, because that way you don't have to correct for the Coriolis effect. That ECEF-ECR conversion requires a time-of-day parameter.<p>You can use a gravitational map that only accounts for latitude, but it isn't as precise.<p>So using an accurate clock is <i>really</i> important if your intent is to hit a missile with a missile.
This is a completely misleading headline. The Patriot missile was not effective at destroying the Scud [0]. The DoD initially claimed successful intercepts when the missile detonated near the Scud, but it rarely, if ever, actually destroyed the warhead. The only reason there was an illusion of success was that the Scud was also spectacularly unreliable and often broke up on re-entry or failed to detonate. It is a complete falsehood to claim that the Patriot would have prevented this loss of life.<p>[0] <a href="http://www.slate.com/articles/news_and_politics/war_stories/2003/03/patriot_games.html" rel="nofollow">http://www.slate.com/articles/news_and_politics/war_stories/...</a>
Reboot. Around the same time-frame we gathered the flag for a deployment (fleet admiral) and I was responsible for UNIX systems on the ship. Not long after coming aboard the command came down to reboot all of the systems at midnight, nightly (yes, only the UNIX systems). Being that "But Mister.." never really gets you too far in the military I just rode it iterating through any possible reason for the madness, nightly. I could never come up with a good one. Until now. (ok, perhaps not a "good" reason but crazy enough to count.)<p>It now makes much more sense to me that a (terrible) mishap had occurred and possible prevention was only a reboot away. I can see how being exposed to that context at upper levels could easily cause one to latch onto any perceived preventative measures.<p>I also once saw a short ntp time step across multiple clusters (yeh, simultaneously) shut down half of a wafer factory.<p>Time is important.. but rebooting all your systems at midnight probably will not help you to control it. This especially if there are large, hot, fast objects flying around in the night sky and definitely, really, don't do ALL of them at the same time every day .. especially during, you know, battle. /pro-tip
I've often wondered, considering the supposed low accuracy of Scud missiles, (wiki gives it a CEP of 450m) how much of the casualties from that incident were more due to the bad luck of the missile actually hitting its target.
This is bad, editorialized title that is not the title of the article.<p>Mods should change this. The "software fix" was a software patch which corrected the clocking bug.<p>The "software workaround" to use pre-fix was reboot.<p>I hate editorialized, lying titles :(
I could be reading this wrong, but 1/3 of a second within 100 hours seems really good, like something you'd get from a temperature-controlled crystal oven.<p>I don't mean to second-guess them in an area I know so little about, but if that was enough to cause a serious issue in the span of only a few days, shouldn't the devices be designed with a separate synchronization system, at least as a backup? Maybe GPS?<p>Which brings up a sort of interesting question...would a Patriot missile system even have receivers for a weak public signal like GPS, or is it all self-contained?
regarding the comments about bug killed people versus weapon killed people.<p>There is no 1 answer, this argument is a result of black-white/yes-no/us-them single point of blame thinking. and it's terrible.<p>the bug <i>contributed</i> to the loss of life.
The title of this post is misleading, they eventually supplied a software patch that fixed the clock drift. The Israelis proposed rebooting as a stopgap until the bug could be fixed.
> The Patriot missile battery at Dhahran had been in operation for 100 hours, by which time the system's internal clock had drifted by one-third of a second. Due to the missile's speed this was equivalent to a miss distance of 600 meters.
The scud missile lead to their deaths, not the software. There's no absolute guarantee it would have intercepted it, plus rebooting a deployed machine regularly is an acceptable fix when it's live in the field